Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search in a multiple index at one go

abhayneilam
Contributor
‎10-17-2012 10:20 AM

I want five keywords to search in 3 indexes named "one" , "two" , "three"

I want my output like :

keyword "one" "two" "three"
mumbai 5 3 2
kolkata 2 2 1
chennai 0 6 4

all the numeric fields are the no. of occurance of keyword in each index ( one, two and three)
Now, I am able to generate for "one" index , but If I run the same query for three index separately then 3 reports would be generated,but I want to create only one report , is there any way to search the same query for more than one index at a same time so that i can have above output

please help

Thanks

Tags (3)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2012 10:52 AM

I'm not sure if this is what you are looking for, but you could use the contingency keyword

sourcetype=foo | contingency keyword, index

It should output something like:

keyword one two three four TOTAL
Mumbai count count count count total_count
chennai count count count count total_count

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Contingency

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2012 12:23 PM

By using the contingency command as mentioned earlier. You're entire search would be sourcetype=foo index=one OR index=two OR index=three|contingency keyword index

0 Karma
Reply

abhayneilam
Contributor
‎10-17-2012 12:21 PM

but How can I bring them in the table together ?

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-17-2012 11:10 AM

If you are refering to Splunk indexes, you can throw them in the same search.

sourcetype=foo index=one OR index=two OR index=three

0 Karma
Reply

abhayneilam
Contributor
‎10-17-2012 11:07 AM

I have one index created called "one" and m running my search on this index and I am getting the output as :
keyword "one"

mumbai 5
kolkata 2
chennai 0

for another index "two", my output would be

keyword "two"
mumbai 3

kolkata 2
chennai 6

So, I have two separate report with me..But instead of creating two reports I want to create only one report which would contain

keyword "one" "two"
mumbai 5 3
kolkata 2 2
chennai 6 4

I want this output..Please help !!

Hope you understood my requirement

Thanks
Abhay

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...